Macs and Windows Servers

Discussion in 'Mac OS X Server, Xserve, and Networking' started by andychelt, Nov 1, 2016.

  1. andychelt macrumors member

    Joined:
    Oct 7, 2011
    #1
    I was just wondering if any of you guys had experience with Macs in a Windows Server environment?

    We currently have a Wndows active domain server setup that allows login from any PC in the building by a username/password.

    I have approx. half a dozen Macs (Minis and iMacs) that I'd like for users to be able to login with their normal username and password and access their home folder and files, a process I believe called binding?

    Unfortunately our network guy is militant anti-apple and refuses to even do a test with one of these, instead declaring that apple gear is too unreliable connecting to Windows Servers, and his only "solution" is that I create a separate Mac Network for my Apple computers, but then users wouldn't have the ease of accessing their files cross platform!

    Are Macs too unreliable connecting to Windows AD? Does anyone run this type of setup with ease?
     
  2. Les Kern macrumors 68040

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #2
    Never really had huge issues in linking Macs to an Active Directory environment, and the issues we did see were easily solvable. Lots of resources for what you want. Unfortunately your IT director is lazy and should be fired. His job is to try to accommodate, not to live on a hill looking down at the "peasants".
     
  3. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #3
    The only Microsoft Domain issues come up with Server 2008s2 and with that you need to start a time Server in the Domain Server! Starting with Server 2010 onward nothing has to be done to put an OS X Mac on a Microsoft Active Directory Domain Controller.

    You IT Manager is an idiot!
     
  4. 960design macrumors 68020

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #4
    Yes, years. I almost typed decades, but it has not quite been two decades to get that little 's'.

    Sadly, very common

    Fire, him. Get rid of Exchange and use something non proprietary. Email can be run with free email server software ( example: hMailServer for Windows, or Mac Server Mail ), collaborative folders can be more efficiently run through something like ownCloud. And the list goes on... having said this, I have yet to succeed in getting my own organization to give up their Exchange addiction, life goes on.

    Not at all, the only issues, will be the mac users occasionally getting their keychain out of sync and all hell breaking loose ( for the mac user, many popups asking for the old password ) until it gets back in sync.

    My MacBookPro and iMac are not bound to the network and can easily access any exchange folder in our network. ( I did not want to bind my Macs ). I just have to use my exchange credentials to 'login' to the shared folders, accessible through Finder > Go > Connect to Server
     
  5. DJLC macrumors 6502a

    DJLC

    Joined:
    Jul 17, 2005
    Location:
    Mooresville, NC
    #5
    I'm an all Mac shop running Active Directory on Server 2012 in the background. Works fine, 1000x more reliable than any Apple-provided server software, and allows Windows compatibility.

    There's no problem. Go for it. And even if there is a problem, it's not going to affect his servers or Windows boxes.
     
  6. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #6
    Plus if you want to show him how easy it is have just watch the video:
     
  7. mzeb macrumors member

    mzeb

    Joined:
    Jan 30, 2007
    #7
    I've been running AD at home with Mac connected and in our office we have a similar setup. I worked on AD for a bit during my time at Microsoft and enterprise deployments have become something of a hobby since :).

    I use the built in OS X home sync (no longer available on 10.12) on the Mac to sync my home directory to and from our home file server and that is the flakiest part of the setup. Authentication and single sign on work flawlessly.

    At work we have a poorly setup AD. Rather, poorly setup DNS. If your domain is not properly configured Macs are more likely to misbehave than Windows boxes. In our case, our logins, if not cached, can take a very long time.

    RE: Exchange - I use OS X mail to connect with Exchange and it's pretty solid. The Calendar can sometimes be a bit funny. Exchange is the best mail server out there. There is nothing else out there that will give you the bang for buck that it can. It is a pain in the butt to administer but everything else is harder at scale. It's also easiest for users to deal with so it's your best bet for sure.

    All in all, it's pretty darn reliable. I have had very few issues with it.

    RE: Your admin - In the end he is in a support role to support the company. He needs to support you. A simple "no, because I don't want to and Macs suck" is not a good answer for someone who is supposed to be a pro. "Let's discuss how we can make this work within the bounds of our security policy" is a far better answer. I run Windows as my primary server, Linux as my file server and a Windows box and a Mac as my desktop and Laptop. Why? Because you use the right tool for the right job. If the Mac is the right tool for you to use at your company and AD is the right solution for your domain it is your admins job to figure out how to make them work together.
     
  8. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #8
    To be fair, home sync hasn't worked properly in OS X for years, and that's independent of Active Directory integration. It's a good thing that Apple finally killed it rather than pretending to still support it and leaving major bugs unfixed.
     
  9. ZippyDan macrumors newbie

    Joined:
    Nov 4, 2016
    #9
    I'm not sure if you meant to conflate those two issues. No need to fire him for using Exchange. There are other free and not-free solutions that can compete with Exchange, but there is a reason that the saying "No one ever got fired for using Microsoft" exists. Microsoft has plenty of problems, but they're still the gold standard. "They just work" (lol).

    But yes, do fire him for being unwilling to at least attempt to meet his users' needs.

    Oh, I've had this problem. Any tips on how to deal with it?
    --- Post Merged, Nov 4, 2016 ---
    Setting up Macs to work in a Windows environment is easy. The best way to do it is to setup "the Magic Triangle". You setup another Mac as a macOS Server, running Open Directory (OD) and Mac's Profile/Device Manager. You also bind this macOS Server to the Active Directory (AD). Similarly, client Macs get bound to the macOS Server OD and to the AD. Login requests to the Mac clients are handled by AD. Meanwhile, things like Mac preferences and User preferences are applied from the macOS Server via OD. Since the macOS Server is also bound to AD, it can apply Mac preferences to OD groups which contain AD groups.
     
  10. DJLC macrumors 6502a

    DJLC

    Joined:
    Jul 17, 2005
    Location:
    Mooresville, NC
    #10
    I've had the Magic Triangle for two years now and it's pretty great. Although Profile Manager totally sucks. ;)

    Question: what was the purpose of binding my Mac clients to both AD and OD? When we got new MacBooks for staff last summer, I only bound them to AD and it's working fine. But am I missing something?
     
  11. adam9c1 macrumors 68000

    adam9c1

    Joined:
    May 2, 2012
    Location:
    Chicagoland
    #11
    Before Profile Manager you used MCX / Managed Client. You pushed settings to user/groups through Open Directory.
    That's the Magic Triangle.

    Now you do not need OD on clients, only on the server (to create a cert).
     
  12. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #12
    Why bind?
    Why not simply use the the SMB Client on macOS for mounting a Windows File Server?

    I have had fun with the good ol' Magic Triangle (Windows 2008 Server, Mac OS X 10.6 Server, Augmented users and Mac OS X 10.6 clients, dual binding).

    But.... nowadays, we (our own office and many clients) simply don't bother anymore with Directory Binding. Simply be a local macOS user, and mount SMB shares and user Apple Mail / iCal (MS Outlook if really necessary).
    Works perfectly.
     
  13. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #13
    There's no need to run Open Directory anymore. You can configure everything you need with profiles (though I would steer away from Profile Manager as the means of doing this since it's not very reliable) and just bind the computers to Active Directory.
    It's also not strictly necessary in every instance to bind computers at all anymore, but the details of that depend on the computing environment.
    --- Post Merged, Nov 4, 2016 ---
    You don't need OD at all.
     
  14. Fancuku macrumors 6502a

    Fancuku

    Joined:
    Oct 8, 2015
    Location:
    PA, USA
    #14
    My thoughts too.
     
  15. ZippyDan macrumors newbie

    Joined:
    Nov 4, 2016
    #15
    If OD is not needed at all, from where does the Mac client download the profiles? The Mac client authenticates through Active Directory, and then how does a (Windows-based) Active Directory server know to apply Mac profiles to a Mac client, and from where and how does it retrieve said profiles?
     
  16. 960design macrumors 68020

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #16
    What do the profiles do? This binding to anything for authentication is antiquated thinking. There are far better ways to accomplish the end goal.

    Very serious question here, no sarcasm ( which is really difficult for me, normally ).
    What service is Exchange providing?
     
  17. ZippyDan macrumors newbie

    Joined:
    Nov 4, 2016
    #17
    Profiles enable tons of things:
    Per user, group, or computer customization of:

    1. Automatic network shares
    2. Automatic configuration of Exchange, Messages, Calendar, etc.
    3. Customized Dock
    4. Customized Applications

    That's just a few. It's basically the same thing as Group Policy in Windows (except not yet as good)
     
  18. adam9c1 macrumors 68000

    adam9c1

    Joined:
    May 2, 2012
    Location:
    Chicagoland
  19. adam9c1, Nov 4, 2016
    Last edited: Nov 4, 2016

    adam9c1 macrumors 68000

    adam9c1

    Joined:
    May 2, 2012
    Location:
    Chicagoland
    #19
    Zippy,

    The profiles are pushed from Profile Manager on a Mac server, not Windows.
    Clients are bound to AD only.im pretty sure Mac server needs OD to create a certificate.
    Profile Manager pushes profiles to AD User groups and Computer groups, or other groups created in profile Manager.
     
  20. ZippyDan macrumors newbie

    Joined:
    Nov 4, 2016
    #20
    I know this. I'm using them. My point is how do profiles get pushed out if the computer is not bound to OD?
     
  21. 960design, Nov 5, 2016
    Last edited: Nov 5, 2016

    960design macrumors 68020

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #21
    I push profiles via MDM, no need to use Exchange. You could use captive portal to authenticate users on a network, that way they could use whatever tech they wanted. Sure, we have several test labs with equipment we want setup the exact same way, this is what I use profiles for. Most of the clients no longer need or want Big Data telling them how to use their tech.
    --- Post Merged, Nov 5, 2016 ---
    Limited access, not good use case for global workflows, we rarely get the luxury of sitting in cubicles in a single office building. Recommend something more robust like ownCloud. That way you can access your documents in China without VPN or tunnel access
    No longer recommended practice. Public calendars are hosted via web applications, same for private / shared calendars. Again accessible from anywhere in the world and with any device. I can access my secretary's calendar with a borrowed Kindle on a plane to Spain. Not so easy with Exchange.
    seriously? You really had to stretch here.
    This is true. Creating a common, simply managed configuration is best done through something like an exchange server. Sadly this only works on Windows. For example I would use Landscape for Ubuntu systems, Mac Server ( now I'm stretching, because we know the limitations here ) for iOS and OS X systems.

    Here's my argument. Who uses tech like this anymore? No one, everyone is specialized, we no longer have offices of workers with the same configurations. Bound or managed systems create more headaches for IT than they fix with today's use case and tech savy clients.
     
  22. ZippyDan, Nov 5, 2016
    Last edited: Nov 5, 2016

    ZippyDan macrumors newbie

    Joined:
    Nov 4, 2016
    #22
    A captive portal requires users to perform more steps to get to their resources. Anyway, I think it just comes down to having different work flows and different users. My users are not tech savvy in the least (maybe 1 out of 20 is), and almost all of my users are in office, at their desk. I have very few mobile users. It's just a different business type I think, and for that, authentication and binding and central management works very well.

    Again, different use case. Most of my users do sit in a single office, and if they find themselves in a different office, all my offices are interconnected via VPN and authenticate to the same domain so they can still access their resources from any office.

    Additionally, all of our storage servers can also be accessed via web. So in the rare case that they need to access something from outside the office, we basically have our own internal "cloud" and they can login using their AD credentials. Seems like the best of both worlds to me: via AD and binding, resources are presented to the user automatically when in the office, but are still available without VPN when traveling.

    When was the last time you used Exchange? Exchange has had web access since version 2011 at least (so also in version 2013 and 2016), which allows you to access E-mails, Calendars (shared and personal), and Contacts via a web browser, from any device, borrowed or not.

    Yeah, there are actually like 20 things that can be customized via profiles and I just picked the first one to pop in my head which was the Dock.

    Here is a more complete list, in addition to the features I already listed:

    1. Manage available, authorized, automatically installed printers
    2. Manage network settings, including IPs, subnets, adapters (WiFi, etc.) and VPNs
    3. Manage installed certificates
    4. Restrict or allow access to specific parts of the OS or applications, including system preferences
    5. Customize the Finder window
    6. Specify programs for automatic start
    7. Automatically setup corporate chat in Messages app
    etc.

    Again, I think your use case and workflow and work environment are just very different from mine. I work with a multi-national corporation with offices all over the world, and most of my workers (not all), are desk-bound. A lot of our offices are in poorer countries, and users don't even necessarily have their own capable devices like laptops, or tablets, or smartphones.
     
  23. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #23
    I use Munki to deploy my configuration profiles to the client computers. The computer I use to generate profiles does, by necessity, have OD running, but nothing is bound to that computer.
    Windows servers don't enter into this particular detail. There are several different MDM options, like Casper/JAMF Pro, which configure systems without the use of Open Directory.
     
  24. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #24
    That's a simple wY that doesn't doesn't work going to a Domain controlled network shares, :Domain NASes, email. Servers, etc. You have to be on that Domain!
     
  25. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #25
    That's not universally true. A user on a non-bound computer can generally access file shares by using the login name of domain\username.
     

Share This Page